The state-of-the-art for Honeypot systems

In November 2008, the  WOMBAT project (Worlwide Observatory of Malicious Behaviors and Attack Threats) has published a study which describes the state of the art for collecting and analyzing malwares. This document of sixty pages is an essential reading for anyone wishing to study this topic. This articles gives an overview of that document.

The WOMBAT study covers several complementary aspects related to malware capture and analysis:

• The honeypot systems overall technologies.
• The attack detection techniques
• The malware analysis techniques
• An Inventory of existing initiatives in these areas

 

The honeypot systems

Section 2.1 of the WOMBAT study describes the different types of honeypot systems:

• The low-interaction honeypots (eg Honeyd or Labrea) which just emulate the network layers (IP stack).
• The medium-interaction honeypots (such as Nepenthes) which rely on the existing network layer and focus on emulating the available services (e.g. WINS, HTTP, FTP)
• The high-interaction honeypots (such as Argos) which use virtualization (eg VMware or Qemu) to present a real environment (not simulated) to the attackers.

The study also describes other honeypot initiatives such as "client-side" honeypots (such as Strider HoneyMonkey or Honey client) that simulate a client application (typically "Internet Explorer") or wireless honeypots (such as HoneySpot) that simulate a WiFi access point.

 

The attack detection techniques

The second important aspect for honeypot systems (at least for medium or high interaction honeypots) is to be able to accurately detect when the attack occurs. The WOMBAT study dedicates a chapter (§ 2.3) to cover that aspect. A critical analysis of the existing mechanisms to detect buffer overflows is presented first. Then more advanced techniques are detailed, such as "data tainting" and detection based on attack signatures (as implemented in "Packet Vaccine" or "Vigilante" solutions).

 

The malware analysis techniques

The last aspect in an honeypot infrastructure is the analysis of the captured malwares. Chapter 4 of the WOMBAT study covers this topic. The reverse engineering and code decompiling techniques are not covered here, because they required a manual analysis of the malware. The study actually focuses on automatic techniques that could be used to classify a captured malwares. This is a research topic where no operational solution is available yet. Possible approaches could be to find the malware behavioral characteristics by simulating its execution, or by applying formal methods on the program structure (such as graph-based analysis or program reduction via logical equivalences, etc ...).

 

An Inventory of the existing initiatives

One of the largest chapters of the WOMBAT study (Chapter 3) provides an inventory of all known initiatives that aim to assist in monitoring malicious activities. This is a very impressive compilation (29 initiatives were identified and analyzed) which covers different areas:

• Internet activity observatories such as CAIDA or ATLAS
• Log sharing infrastructures such as DShield or MyNetWatchman
• Honeynets such as Leurré.com, Honeynets, etc. ...
• Malware collection initiatives such as Mwcollect.

 

Conclusion

This WOMBAT state-of-the-art study gives a comprehensive overview of the existing initiatives in this field. It is a must have read reference for anyone who would start studying that topic.

 

For further information:

WOMBAT Deliverable D03/D2.2 Analysis of the state of the art: http://wombat-project.eu/2008/11/wombat-deliverable-d03d22-anal.html